Keep workflow-level permissions: read-all in CodeQL workflow#43
Closed
Copilot wants to merge 1 commit intoimprovementsfrom
Closed
Keep workflow-level permissions: read-all in CodeQL workflow#43Copilot wants to merge 1 commit intoimprovementsfrom
permissions: read-all in CodeQL workflow#43Copilot wants to merge 1 commit intoimprovementsfrom
Conversation
Copilot
AI
changed the title
[WIP] Address feedback on NuGet CI setup and dependencies update
Keep workflow-level Feb 20, 2026
permissions: read-all in CodeQL workflow
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A previous review suggested removing
permissions: read-allat the workflow level incodeql.ymlas redundant, since theanalyzejob defines its own explicit permissions block. However, removing it breaks CodeQL — the job-levelsecurity-events: writerequires the workflow-level permission scope to be present for the token to upload analysis results.Decision
permissions: read-allat the workflow level in.github/workflows/codeql.ymlactions: read,contents: read,security-events: write) remains unchanged as the least-privilege definition for the job itself✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.